Tuesday, March 27, 2012

Yes, you read that headline correctly, employers are now asking, in increasing numbers, for employee social media (like Facebook) user names and passwords. If that doesn't send chills down the spine of every American who proclaims to believe in a free country, or even the concept of privacy, I don't know what will.

Let's begin with what we already know about increasing intrusiveness from both government and corporate/employer interests: As of two years ago, Facebook reportedly receives up to 100 demands from the government each week for information about its users. AOL reportedly receives 1,000 demands a month. In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.com customers. Sprint recently disclosed that law enforcement made 8 million requests in 2008 alone for its customer’s cell phone GPS data for purposes of locational tracking.

Now let's get to the corporate side of this privacy creep. It was Facebook itself no less - a known enemy of privacy and the world’s biggest social networking site - that came out just a few days ago with a statement claiming it was alarmed by reports that some businesses ask potential employees for passwords in order to view private posts and pictures as part of the job-application process.

Before I get to California State Senator Leland Yee's bill, proposed this week to ban this practice, let me continue with the initial reaction from two US Senators - New York Senator Charles Schumer and Senator Richard Blumenthal - to this hair raising practice. They have asserted the practice could violate federal anti-hacking statutes and have also, thankfully, asked the U.S. Equal Employment Opportunity Commission to examine the practice as well.

Blumenthal said that by requiring job applicants to provide login credentials, employers could gain access to protected information that would be impermissible for them to consider when making hiring decisions. Those include religious affiliation and sexual orientation, which are protected categories under federal law.

Facebook said on March 23 that accessing such information also could expose businesses to discrimination lawsuits. The company said it might ask policy makers to take action to stop the practice.

...

Facebook and other sites are already used by some potential employers seeking additional background on job applicants because of the personal information posted there. As Facebook has given users additional ways to protect that information from public view, reports have surfaced of employers asking job applicants to voluntarily give them access by providing personal login credentials.
...

The lawmakers also asked the department to investigate whether the practice violates the Stored Communications Act, which prohibits intentional access to electronic information without authorization or in excess of authorization.

This reminds me a lot of the legislation that we (the Consumer Federation of California) supported last year - and was signed into law by Governor Brown - that banned the practices of employers checking prospective employees credit reports. Before I remind people a little more about why that was such a HUGE victory for both privacy and economic fairness, let me get to Senator Leland Yee's legislation here in California.

His legislation would stop employers from formally
requesting or demanding employees or job applicants provide their social media
usernames and passwords.

As the Yee rightly states, “It is completely unacceptable for an employer to invade
someone’s personal social media accounts. Not only is it
entirely unnecessary, it is an invasion of privacy and unrelated to one’s work
performance or abilities. These outlets are often for the purpose of individuals to
share private information with their closest friends and family. Family photos and non-work social calendars have no bearing on a person’s
ability to do their job and therefore employers have no right to demand to
review it.”

Rather than formally requesting passwords and usernames,
some employers have demanded applicants and employees to sit down with managers
to review their social media content or fully print out their social media
pages.

Yee's bill will also prohibit this practice.

As I argued in defense of AB 22 (Mendoza) regarding so called "requests", and thus an employee's "choice" to say yes or no, when you're trying to get a job, especially in this economy, its not exactly "voluntary" when coerced by an employer that can fire you, or choose not to hire you.

As I pointed out last year, and it appears the same is beginning to happen with these kinds of employer requests, a person's
credit rating (which have suffered due to the Great Recession) - also NOT a good indicator of a
person's trustworthiness or work
ethic - were being increasingly demanded by employers (in fact, a whopping 40% of the time!!).

Evi­dence also suggested
that some supervisors factor credit scores into decisions regarding promotion
and evaluation of current workers. Could the same be said for Facebook account content?

In the case of credit ratings, there was also the consideration of the role credit agency fraud played in the housing bubble
burst, subse­quent economic crisis and the reduced credit scores suffered by so
many Americans. In that context, for an employer to discriminate against
someone with a less than stellar credit record is unconscionable. Wall Street excesses and Congress’ weak re­sponse have built plenty of barriers
between the jobless and their prospects for future employ­ment. Allowing
employers to use credit checks to deny employment only serves as another
obstacle to getting Californians back to work.

And to top it all off, credit reports are often inaccurate, and correcting mistaken information is a tedious, time consuming
process, and in the meantime, the job applicant is harmed due to errors by
credit reporting entities.

That was a great victory for California privacy and basic economic fairness...and so should this latest legislation from Leland Yee and his efforts to end the practice of employers demanding and/or requesting access to employee Facebook pages.

If interested, here's an interview I did on the Rick Smith Show last year regarding AB 22:

Wednesday, March 21, 2012

There are two articles I want to alert readers to that directly touch upon two topics I've written about at length on this blog in the past: The Patriot Act and domestic spy drones.

It was June of last year that I wrote an op-ed for the California Progress Report entitled "The Patriot Act and the Quiet Death of the US Bill of Rights" (piece was also picked up by Alternet, Common Dreams, and other outlets) in which I touched on concerns being raised by a few Senators regarding a "secret Patriot Act provision". I wrote:

"Of equal concern is what we still don’t know about how the government might be using the Act, highlighted by recent statements made by US Senators regarding what they termed “secret Patriot Act provisions”. Senator Ron Wyden (D-OR), an outspoken critic of the recent reauthorization, stated, "When the American people find out how their government has secretly interpreted the Patriot Act they will be stunned and they will be angry." As a member of the Senate Intelligence Committee Wyden is in a position to know, as he receives classified briefings from the executive branch.

In recent years, three other current and former members of the US Senate - Mark Udall (D-CO), Dick Durbin (D-IL), and Russ Feingold (D-WI) - have provided similar warnings. We can't be sure what these senators are referring to, but the evidence suggests, and some assert, that the current administration is using Section 215 of the Patriot Act - a provision that gives the government access to "business records" - as the legal basis for the large-scale collection of cell phone location records.

The fact that in 2009 Sprint disclosed that law enforcement made 8 million requests in 2008 alone for its customer’s cell phone GPS data for purposes of locational tracking should only add to these legitimate privacy concerns."

I bring this up today because two of those Senators are back again, raising those SAME concerns, over that same provision (Section 215), to the Justice Department and the Administration.

The New York times reports:

For more than two years, a handful of Democrats on the Senate intelligence committee have warned that the government is secretly interpreting its surveillance powers under the Patriot Act in a way that would be alarming if the public — or even others in Congress — knew about it.

On Thursday, two of those senators — Ron Wyden of Oregon and Mark Udall of Colorado — went further. They said a top-secret intelligence operation that is based on that secret legal theory is not as crucial to national security as executive branch officials have maintained.

The senators, who also said that Americans would be “stunned” to know what the government thought the Patriot Act allowed it to do, made their remarks in a letter to Attorney General Eric H. Holder Jr. after a Justice Department official last month told a judge that disclosing anything about the program “could be expected to cause exceptionally grave damage to the national security of the United States.”

The Justice Department has argued that disclosing information about its interpretation of the Patriot Act could alert adversaries to how the government collects certain intelligence. It is seeking the dismissal of two Freedom of Information Act lawsuits — by The New York Times and by the American Civil Liberties Union — related to how the Patriot Act has been interpreted.

The senators wrote that it was appropriate to keep specific operations secret. But, they said, the government in a democracy must act within publicly understood law so that voters “can ratify or reject decisions made on their behalf” — even if that “obligation to be transparent with the public” creates other challenges.

“We would also note that in recent months we have grown increasingly skeptical about the actual value of the ‘intelligence collection operation,’ ” they added. “This has come as a surprise to us, as we were initially inclined to take the executive branch’s assertions about the importance of this ‘operation’ at face value.”

What we have here is a dual interpretation debate over this provision. We know for instance, that it allows a secret national security court to issue an order allowing the F.B.I. to obtain “any tangible things” in connection with a national security investigation - which include what is referred to as the “business records” like say hotel or credit card records.

But in addition to that kind of collection, what these Senators appear to be contending is that the government has also interpreted - secretly - that this provision allows some other kind of activity to obtain private information about people who have no link to a terrorism or espionage case.

This is disturbing...to say the least. As I thoroughly documented in my original op-ed, "The Patriot Act was sold as an indispensable weapon in the government’s arsenal to fight and “win” the “War on Terror”. We were assured that the sole purpose of these unprecedented powers granted government were to locate and catch terrorists - not raid the homes of pot dealers and wiretap peace activists. Monitoring political groups and activities deemed “threatening” (i.e. environmentalists, peace activists), expanding the already disastrous and wasteful war on drugs, and spying on journalists isn’t about fighting terrorism, it’s about stifling dissent and consolidating power – at the expense of civil liberties.

How ironic that the very “tool” hailed as our nation’s protector has instead been used to violate the very Constitutional protections we are allegedly defending from “attack” by outside threats. What was promised as a “temporary”, targeted law to keep us safe from terror has morphed into a rewriting of the Bill of Rights.

John Whitehead explains: “The Patriot Act drove a stake through the heart of the Bill of Rights, violating at least six of the ten original amendments–the First, Fourth, Fifth, Sixth, Seventh and Eighth Amendments–and possibly the Thirteenth and Fourteenth Amendments, as well. The Patriot Act also redefined terrorism so broadly that many non-terrorist political activities such as protest marches, demonstrations and civil disobedience were considered potential terrorist acts, thereby rendering anyone desiring to engage in protected First Amendment expressive activities as suspects of the surveillance state.”

I would urge EVERYONE to not just continue to demand this Act be repealed, but also to demand what in fact this secret interpretation is, and for what purposes is it being used.

With that said, let's move on to another disturbing new development in the dismantling of our civil liberties: the now LEGAL use of domestic drones to spy on innocent American citizens. I recently documented this story in a blog post entitled "Domestic Spy Drones Approved by Congress".

I want to update you on this story because a fellow privacy advocate - Ryan Calo - recently penned an op-ed on this topic, making some important additional points to those I have, in particular, citing the precedent set by the historic GPS tracking case (which I have also covered in detail here) United States v. Jones.

In Wired magazine, he writes, "The Electronic Frontier Foundation is suing the FAA to release records of who has asked for permission to use drones. The ACLU recently issued a report on drones and privacy. The D.C.-based Electronic Privacy Information Center filed a petition asking the FAA to consider privacy as the agency opens American skies to unmanned flight.

It is easy to see why these and other groups are concerned: It turns out that there is very little in American privacy law that would prohibit drone surveillance within our borders.

...

The prospect of excessive surveillance through technology was recently front and center in United States v. Jones — a case before the Supreme Court involving global position systems. Every one of the nine justices agreed that the police need a warrant before affixing a GPS device to a car and following a suspect for a prolonged period, even where the defendant’s movements take place entirely in public.

And yet for the majority, it was ultimately the act of physically attaching the device to the car that triggered the warrant requirement. Drones can follow a car without the need to attach anything.

Jones is getting a lot of attention. The FBI reportedly turned off thousands of GPS devices in response to the ruling. There is a second case before the Supreme Court right now, however, that has yet to raise red flags in privacy and technology circles.

In Florida v. Jardines, the nation’s highest court will consider whether the police need a warrant before a dog can sniff your house. Dogs can already sniff your bags at the airport or your car at a checkpoint on the theory that no human searches through your belongings unless and until the dog detects contraband — at which point your expectation of privacy is no longer considered reasonable.The question before the Court in Jardines is whether officers suddenly need a warrant because the container being sniffed happens to be your house.

The conceptual leap from dogs to drones is shorter than you might think. As Burkhard Bilger recently wrote in a New Yorker piece about the NYPD’s K9 unit: “Canine police tend to talk about their dogs as if they were mechanical devices. They describe them as tools or technology.”

Police may not peer into the interior of a house using thermal imaging. But perhaps they could equip a drone with thermal or chemical sensors and let it loose to roam a neighborhood in search of invisible infractions such as indoor marijuana. No human would have to see the data unless or until the drone spotted a violation.

The wrong decision in Jardines makes this and similar surveillance scenarios uncomfortably plausible. Drones are a versatile technology. They have great potential to assist in investigations, scientific research, disaster relief and countless other human pursuits. But the FAA needs to take seriously the legitimate concerns of civil-liberties groups, lest our privacy go to the dogs.

As I wrote in my blog, the "GREAT Jim Hightower frames this attack on privacy the best when he wrote:

"Look, up in the sky! Neither a bird nor Superman, the next must-have toy for assorted police agencies is the unmanned aerial vehicle, better known as drones. Yes, the same miniaturized aircraft that lets the military wage war with a remote-controlled, error-prone death machine is headed to your sky, if the authorities have their way. Already, Homeland Security officials have deployed one to a Texas sheriff's office to demonstrate its crime-fighting efficacy, and federal aviation officials are presently proposing new airspace rules to help eager departments throughout the country get their drones.

But airspace problems are nothing compared to the as-yet-unaddressed Fourth Amendment problems that come with putting cheap, flying-surveillance cameras in the air. As usual, this techno-whiz gadget is being rationalized as nothing more than an enhanced eye on crime. But the drone doesn't just monitor a particular person or criminal activity, it can continuously spy on an entire city, with no warrant to restrict its inevitable invasion of innocent people's privacy. Drones will collect video images of identifiable people. Who will see that information? How will it be used? Will it be retained? By its nature, this is an invasive, all-encompassing spy eye that will tempt authorities to go on fishing expeditions. The biggest question is the one that is not even being asked: Who will watch the watchers?."

We would do well to - sooner rather than later - to recognize the inherent and fundamental value that privacy provides ANY claimed democracy. Without one there can not be the other..

Tuesday, March 20, 2012

California privacy stalwart - State Senator Joe Simitian - is back again with another critically important bill. SB 1330 will address what has become one of the fastest-growing trends in law enforcement - including private industry: monitoring and compiling license-plate records (license plate recognition technology, or LPR) on both innocent and criminal drivers which that can then be searched by police.

It goes without saying that this locational tracking of potentially every driver on the road is a threat to privacy. To date, the courts have only begun to address whether investigators can secretly attach a GPS monitoring device to cars without a warrant (the Supreme just ruled they can't).

This ruling hasn't however deterred police from across the country - and companies like Vigilant Video - from utilizing these high-tech
scanners on the exterior of their cars to take a picture of
every passing license plate and automatically compare them to
databases of outstanding warrants, stolen cars and wanted bank robbers.

As alluded to, these scanners are employed by a variety of law enforcement agencies,
asset recovery companies and financial institutions, among other
organizations. While they are admittedly a valuable resource for law
enforcement, they are also valuable to private entities wishing to
acquire or sell data about people’s movements and habits.

In fact, we have learned that some private entities utilize “scout cars”
whose sole purpose is to acquire LPR data; such entities possess
millions of LPR data points, and claim to scan 40 percent of vehicles in
the country on an annual basis.

This volume of LPR data can provide a roadmap to an individual’s
personal life including his or her movements, activities, medical
conditions, friendships, religious practices, vocation, political
beliefs, etc. This poses a serious risk to Californians’ constitutional
right to privacy, especially since LPR data is acquired without an
individual’s knowledge or consent.

Senator Simitian's bill offers a critical safeguard to Californians’ constitutional right to privacy by modeling itself on existing state law governing 1) the use of LPR scanners and data by the California Highway Patrol, and 2) the disclosure of information acquired by transportation agencies through electronic toll collection systems (another bill Senator Simitian recently authored). Most importantly, the law would limit the time enforcement agencies in California can retain such data captured by these license-plate scanners to 60 days, except when the information is being used in felony investigations.

Simitian said in an interview that there’s a critical distinction between consumers who voluntarily choose to turn over private information to Internet companies like Facebook and technologies that quietly collect information on drivers.

He helped hammer out the guidelines in place for the highway patrol and said balancing privacy protections enshrined in the state’s constitution with the tools police need to improve public safety is part of the legislative process. “I don’t think the two are mutually exclusive,” Simitian said.

Lee Tien of the Electronic Frontier Foundation, a digital and privacy rights group based in San Francisco, said it’s “a good attempt at beginning to address the issue.” The foundation so far plans to support the legislation, Tien said.

The bill also would prohibit police from turning the data over to entities that are not engaged in law enforcement, such as private companies.

Simitian’s proposal comes after California Watchreported in January that a Livermore-based company called Vigilant Video had amassed more than a half-billion bits of information on drivers from license-plate scanners. The data come both from police who agree to turn it over for nationwide searches and auto-repossession companies that help banks track down debtors who are delinquent on their car payments.

A company sales manager previously told California Watch that about 1,200 new law enforcement users are signed up every month to search the database, known as the National Vehicle Location Service. While using the devices to nab wanted suspects in real time has a clear value for police, storing historical data from the units is equally alluring to police who are aware of its powerful intelligence value.

Simitian’s bill also would restrict companies like Vigilant, limiting the amount of time data can be held to 60 days, barring them from selling it or giving the data to anyone who is not a law enforcement officer, and making data available to police only when a search warrant has established probable cause. Vigilant says only approved law enforcement officials can sign up to search the National Vehicle Location Service.

Senator Simitian's legislation will be AGGRESSIVELY supported by a broad coalition of privacy and consumer advocates as it strikes a balance between law enforcement’s legitimate use of LPR scanners for public safety purposes, and Californians’ right to privacy.

Wednesday, March 14, 2012

Due to serious time constraints I'm going to refrain from much personal pontificating today and go straight to a great piece by Alternet's David Rosen entitled "Your Are Being Tracked Online: Here Are 5 Ways to Protect Your Privacy". Suffice to say, he lays out a number of the issues I've been covering on this blog, including ways that you can protect your own privacy, but more importantly, as I often argue, what kinds of rules and protections are needed to make this task easier - and give people more power over their data and what's done with it.

I think his general analysis of the President's Consumer Privacy Bill of Rights is on point too...namely, that while conceptually its got a lot of good stuff, there's not a lot of reason to be optimistic that it will end up being very strong, due to deference to the Congress and/or appeasement of big business interests when the time comes to fight for what's most important.

He also delves into the detrimental effects to privacy of media consolidation as well as the shift from paper based media to digitally based....which forces these companies to find new ways (like behavioral tracking) to raise revenue to stay afloat.

With that said, here's a few of the most important passages of his piece in case you don't have the time to read the whole thing:

Overlooked by the media, the Federal Trade Commission issued a warning earlier in February over apparent violations of children’s privacy rights involving the operating systems of the Apple iPhone and iPad as well as Google’s Android and their respective apps developers. Its report, "Mobile Apps for Kids," examined 8,000 mobile apps designed for children and found that parents couldn’t safeguard the personal information the app maker collected.

To illustrate how pernicious this practice is, one iPhone app, Path, offered by a Singapore developer, downloaded an iPhone users' entire address book without alerting them. Prodded by a letter from Congressmen Henry Waxman (D-CA) and G.K. Butterfield (D-NC), Apple’s CEO Tim Cook said the company will ensure that app developers get permission before downloading a user's address book.The battle over your personal data is principally about ad spending. The mass media is witnessing a shift from “broadcast” media like newspapers, radio and TV to “targeted” media like website ads, search capabilities and social networks. The consequences for newspapers and magazines are clear; TV is fighting to hold onto every ad dollar with a new “social TV” initiative. And your personal information is what enables targeted advertising. ...

Two industries, advertising and data brokers, principally drive the colonization of digital personal information. Traditional online usage practices such as monitoring of sites visited, ad click-throughs and email keywords are the bread and butter of information capture.

At a Senate hearing in September 2007 reviewing Google’s acquisition of DoubleClick, Sen. Herb Kohl warned, "The antitrust laws were written more than a century ago out of a concern with the effects of undue concentrations of economic power for our society as a whole, and not just merely their effects on consumers’ pocketbooks. No one concerned with antitrust policy should stand idly by if industry consolidation jeopardizes the vital privacy interests of our ciitzens so essential to our democracy."

The merger of these two ad-serving businesses set the stage of greater integration of personal information gathering and the online ad industry.

According to Forrester Research, total online advertising will more than double over the next five years, jumping from the 2011 estimate of $34.5 billion to $76.6 billion by 2016. Giving some texture to these numbers, eMarketing estimates that the top five online services control more than 70 percent of all monies spent. These five (and their relative market share) are: Google (43.5%), Yahoo! (11.9%), Facebook (7.7%), Microsoft (5.4%) and AOL (2.8%)

Facebook collects two types of information: (i) personal details provided by a user and (ii) usage data collected automatically as the user spends time at the site clicking around. When joining Facebook, a user discloses such information as name, email address, telephone number, address, gender and schools attended. In addition, it records a user’s online usage patterns, including the browser they use, the user's IP address and how long they spend logged into the site.

...

More pernicious, your personal Social Security number, phone numbers, credit card numbers, medical prescriptions, shopping habits, political affiliations and sexual orientation are now fodder for both corporate and government exploitation.

Both the ad agencies and data brokers have information capture down to a bad science. They track your every keystroke, your every order and bill payment, words and phrases in your emails and your every mobile movement.

“Privacy” is an implied – as distinguished from an explicit – right guaranteed by the Constitution. For all the rights suggested in the White House’s white paper, no new real right to privacy is proposed.

...

2. Regulation should replace voluntary compliance.

The White House program is based on the various interested parties, particularly online advertising companies, adopting a voluntary compliance commitment to safeguard people’s online privacy. But will self-regulation work?

...3. Data vendors should be held accountable.

The White House document calls for data brokers to permit consumer reasonable access to the data they collect. It encourages the collectors to provide a mechanism for review, revision and limits to its use.

...4. Bar federal agencies from buying private data.

The white paper fails to address the federal government’s growing reliance on information gathered by private data collectors, whether the information is accurate or not.

...

5. There’s a need for a global personal privacy standard.

The U.S. and Europe are moving in two opposing directions with regard to data privacy rules. The White House plan emphasizes mutual recognition of privacy approaches, an international role for codes of conduct and enforcement cooperation to safeguard personal privacy. Yet, the U.S. model is in keeping with its long tradition of putting the interest of business before its citizens; the Europeans are developing an online privacy program that places the interests of citizens first.

For today's purposes, I'm just going to take you straight to a video posted by a blogger demonstrating yet another hole in the "security" these machines provide.

Before I post the video, here's a clip from the post: A blogger on Tuesday published a video showing how he had snuck a small metal case through the Transportation and Security Administration's (TSA) "billion dollar fleet" of so-called nude body scanners.

Engineer Jonathan Corbett, who runs the blog TSA Out of Our Pants, explained that the problem lies in how the scanner uses dark colors to highlight potential threats like weapons or explosives.

"Again that’s light figure, black background, and BLACK threat items," he explained. "Yes that’s right, if you have a metallic object on your side, it will be the same color as the background and therefore completely invisible to both visual and automated inspection."

"To put it to the test, I bought a sewing kit from the dollar store, broke out my 8th grade home ec skills, and sewed a pocket directly on the side of a shirt. Then I took a random metallic object, in this case a heavy metal carrying case that would easily alarm any of the 'old' metal detectors, and walked through a backscatter x-ray at Fort Lauderdale-Hollywood International Airport."

Again at Cleveland-Hopkins International Airport, Corbett successfully carried his small, empty metal case through the scanners.

"While I carried the metal case empty, by one with mal-intent, it could easily have been filled with razor blades, explosives, or one of Charlie Sheen’s infamous 7 gram rocks of cocaine," he warned. "With a bigger pocket, perhaps sewn on the inside of the shirt, even a firearm could get through."

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.